from lib.cuckoo.common.abstracts import Signature


class TamperCrypt32Service(Signature):
    name = "tamper_crypt32_service"
    description = "Attempt to tamper with crypt32 subordinate registry, certificate problems can cause network connection failure or computer freeze."
    severity = 3
    categories = ["reg"]
    authors = ["xuhy"]
    minimum = "2.0"

    regkeys_re = [
        ".*\\\\(SYSTEM|System)\\\\(ControlSet001\\\\|CurrentControlSet\\\\)?services\\\\crypt32",
    ]

    def on_complete(self):
        for indicator in self.regkeys_re:
            for regkey in self.check_key(pattern=indicator, regex=True, all=True):
                self.mark_ioc("registry", regkey)

        return self.has_marks()
